From: James Morris <james.l.morris@oracle.com>
To: "Mahesh Bandewar (महेश बंडेवार)" <maheshb@google.com>
Cc: LKML <linux-kernel@vger.kernel.org>,
Netdev <netdev@vger.kernel.org>,
Kernel-hardening <kernel-hardening@lists.openwall.com>,
Linux API <linux-api@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
Serge Hallyn <serge@hallyn.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
Eric Dumazet <edumazet@google.com>,
David Miller <davem@davemloft.net>,
Mahesh Bandewar <mahesh@bandewar.net>
Subject: Re: [PATCHv3 0/2] capability controlled user-namespaces
Date: Sat, 30 Dec 2017 19:31:43 +1100 (AEDT) [thread overview]
Message-ID: <alpine.LFD.2.20.1712301931360.24310@localhost> (raw)
In-Reply-To: <CAF2d9jit74_VCdD-pEFy3bJo2W1-0cDo0BOJC5beJiy8yFPCWg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 4949 bytes --]
On Wed, 27 Dec 2017, Mahesh Bandewar (महेश बंडेवार) wrote:
> Hello James,
>
> Seems like I missed your name to be added into the review of this
> patch series. Would you be willing be pull this into the security
> tree? Serge Hallyn has already ACKed it.
Sure!
>
> Thanks,
> --mahesh..
>
> On Tue, Dec 5, 2017 at 2:30 PM, Mahesh Bandewar <mahesh@bandewar.net> wrote:
> > From: Mahesh Bandewar <maheshb@google.com>
> >
> > TL;DR version
> > -------------
> > Creating a sandbox environment with namespaces is challenging
> > considering what these sandboxed processes can engage into. e.g.
> > CVE-2017-6074, CVE-2017-7184, CVE-2017-7308 etc. just to name few.
> > Current form of user-namespaces, however, if changed a bit can allow
> > us to create a sandbox environment without locking down user-
> > namespaces.
> >
> > Detailed version
> > ----------------
> >
> > Problem
> > -------
> > User-namespaces in the current form have increased the attack surface as
> > any process can acquire capabilities which are not available to them (by
> > default) by performing combination of clone()/unshare()/setns() syscalls.
> >
> > #define _GNU_SOURCE
> > #include <stdio.h>
> > #include <sched.h>
> > #include <netinet/in.h>
> >
> > int main(int ac, char **av)
> > {
> > int sock = -1;
> >
> > printf("Attempting to open RAW socket before unshare()...\n");
> > sock = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
> > if (sock < 0) {
> > perror("socket() SOCK_RAW failed: ");
> > } else {
> > printf("Successfully opened RAW-Sock before unshare().\n");
> > close(sock);
> > sock = -1;
> > }
> >
> > if (unshare(CLONE_NEWUSER | CLONE_NEWNET) < 0) {
> > perror("unshare() failed: ");
> > return 1;
> > }
> >
> > printf("Attempting to open RAW socket after unshare()...\n");
> > sock = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
> > if (sock < 0) {
> > perror("socket() SOCK_RAW failed: ");
> > } else {
> > printf("Successfully opened RAW-Sock after unshare().\n");
> > close(sock);
> > sock = -1;
> > }
> >
> > return 0;
> > }
> >
> > The above example shows how easy it is to acquire NET_RAW capabilities
> > and once acquired, these processes could take benefit of above mentioned
> > or similar issues discovered/undiscovered with malicious intent. Note
> > that this is just an example and the problem/solution is not limited
> > to NET_RAW capability *only*.
> >
> > The easiest fix one can apply here is to lock-down user-namespaces which
> > many of the distros do (i.e. don't allow users to create user namespaces),
> > but unfortunately that prevents everyone from using them.
> >
> > Approach
> > --------
> > Introduce a notion of 'controlled' user-namespaces. Every process on
> > the host is allowed to create user-namespaces (governed by the limit
> > imposed by per-ns sysctl) however, mark user-namespaces created by
> > sandboxed processes as 'controlled'. Use this 'mark' at the time of
> > capability check in conjunction with a global capability whitelist.
> > If the capability is not whitelisted, processes that belong to
> > controlled user-namespaces will not be allowed.
> >
> > Once a user-ns is marked as 'controlled'; all its child user-
> > namespaces are marked as 'controlled' too.
> >
> > A global whitelist is list of capabilities governed by the
> > sysctl which is available to (privileged) user in init-ns to modify
> > while it's applicable to all controlled user-namespaces on the host.
> >
> > Marking user-namespaces controlled without modifying the whitelist is
> > equivalent of the current behavior. The default value of whitelist includes
> > all capabilities so that the compatibility is maintained. However it gives
> > admins fine-grained ability to control various capabilities system wide
> > without locking down user-namespaces.
> >
> > Please see individual patches in this series.
> >
> > Mahesh Bandewar (2):
> > capability: introduce sysctl for controlled user-ns capability whitelist
> > userns: control capabilities of some user namespaces
> >
> > Documentation/sysctl/kernel.txt | 21 +++++++++++++++++
> > include/linux/capability.h | 7 ++++++
> > include/linux/user_namespace.h | 25 ++++++++++++++++++++
> > kernel/capability.c | 52 +++++++++++++++++++++++++++++++++++++++++
> > kernel/sysctl.c | 5 ++++
> > kernel/user_namespace.c | 4 ++++
> > security/commoncap.c | 8 +++++++
> > 7 files changed, 122 insertions(+)
> >
> > --
> > 2.15.0.531.g2ccb3012c9-goog
> >
>
--
James Morris
<james.l.morris@oracle.com>
next prev parent reply other threads:[~2017-12-30 8:31 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-05 22:30 [PATCHv3 0/2] capability controlled user-namespaces Mahesh Bandewar
[not found] ` <20171205223052.12687-1-mahesh-bmGAjcP2qsnk1uMJSBkQmQ@public.gmane.org>
2017-12-27 17:09 ` Mahesh Bandewar (महेश बंडेवार)
2017-12-27 20:23 ` Michael Kerrisk (man-pages)
2017-12-28 0:45 ` Mahesh Bandewar (महेश बंडेवार)
[not found] ` <CAF2d9jjCJxu+oiCCSa1zN8OxfdiCMQb4dx7Mc0YdNgJuMNkOzw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-12-30 8:50 ` Michael Kerrisk (man-pages)
2018-01-03 1:35 ` Mahesh Bandewar (महेश बंडेवार)
2017-12-30 8:31 ` James Morris [this message]
2018-01-03 1:30 ` Mahesh Bandewar (महेश बंडेवार)
2018-01-08 0:35 ` James Morris
2018-01-08 6:24 ` Serge E. Hallyn
2018-01-08 9:51 ` James Morris
2018-01-08 15:47 ` Serge E. Hallyn
2018-01-08 17:21 ` Mahesh Bandewar (महेश बंडेवार)
[not found] ` <CAF2d9jgVJpuAH+jgK0v7sQ9Pr75xy=GSnqKDdpeE7d97O0EbcQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-01-08 18:11 ` Serge E. Hallyn
2018-01-08 18:24 ` Mahesh Bandewar (महेश बंडेवार)
2018-01-08 18:36 ` Serge E. Hallyn
2018-01-08 18:55 ` Mahesh Bandewar (महेश बंडेवार)
2018-01-09 22:28 ` Serge E. Hallyn
[not found] ` <20180109222859.GA25956-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2018-01-10 2:08 ` Mahesh Bandewar (महेश बंडेवार)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LFD.2.20.1712301931360.24310@localhost \
--to=james.l.morris@oracle.com \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=edumazet@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mahesh@bandewar.net \
--cc=maheshb@google.com \
--cc=netdev@vger.kernel.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).